Using GitHub Actions and wanting to store secrets security while utilising Azure? In this blog post I will be showing how you can create and store secrets in Azure Key Vault and retrieve them to be used as part of your GitHub Actions. I wrote a bash script to achieve this as Azure/get-keyvault-secrets@v1 has been deprecated.
Why Azure Key Vault and not just in GitHub?
- Ability to rotate secrets in one place within a Key Vault – you may have a number of secrets in the same Key Vault
- Activity log to see who/when secrets were updated or removed
- Centrailisation to store secrets, rather than just on GitHub
- No need for repetition to store the secret in both GitHub & Key Vault with one single source of truth
- With Azure Key Vault you can monitor when secrets were accessed
Some pre-reqs
In this blog, I will be using this repo: https://github.com/thomast1906/azure-keyvault-secrets-githubaction-bash to create & run the GitHub action, along with the below bash script to create:
- Azure Resource Group:
tamopskvrg
- Azure Key Vault:
tamopskvexample
- Azure Key Vault secrets
example1
&example2
RG="tamopskvrg"
LOCATION="uksouth"
KV_NAME="tamopskvexample"
# Create a resource group.
az group create --name $RG --location $LOCATION
# Create a key vault.
az keyvault create --name $KV_NAME --resource-group $RG --location $LOCATION
# Create secrets in the key vault.
az keyvault secret set --vault-name $KV_NAME --name "example1" --value "example1secretvalue"
az keyvault secret set --vault-name $KV_NAME --name "example2" --value "example2secretvalue"

GitHub Action
Time to build and run the GitHub Action
GitHub Repository Secret
Within the GitHub repository to where you are going to be running the GitHub Action to retrieve your Azure Key Vault secrets, select settings -> secrets
Add secret
AZURE_CREDENTIALS
– in json format as below, this is the Service Principal that will be used for az login and access the Azure Key Vault (Ensure the Service Principal has correct permissions for the Azure Key Vault
{
"clientId": "<GUID>",
"clientSecret": "<GUID>",
"subscriptionId": "<GUID>",
"tenantId": "<GUID>",
}
Create and run GitHub Action
To add this GitHub Action to your repository, within your GitHub Repo – select Actions -> Workflows -> New workflow
(Or if you merge into main branch with Action in the folder structure .github/workflows/main.yaml it will automatically create. )

A quick look at the bash script that will be used to get & retrieve the secrets, into GITHUB_OUTPUT
environment files:
- The bash script is a for loop that looks over the array of
secrets_get
which are the secret names I want to retrieve the values for - masking the values to ***** using
::add-mask::
- Finally adding each secret value as an environment file using
GITHUB_OUTPUT
- name: 'Get secrets'
id: azure-keyvault-secrets
run: |
secrets_get=(example1 example2)
for secret_get in ${secrets_get[@]}
do
value=$(az keyvault secret show --name $secret_get --vault-name tamopskvexample --query value --output tsv)
echo "::add-mask::$value"
echo "$secret_get=$value" >> $GITHUB_OUTPUT
done
My example will then create two resource groups with the secret values to show them being retrieved successfully
- name: Create resource groups with secret values
run: |
az group Create --name ${{ steps.azure-keyvault-secrets.outputs.example1 }} --location uksouth
az group Create --name ${{ steps.azure-keyvault-secrets.outputs.example2 }} --location uksouth
GitHub Action full:
name: github_action_azure_kv_secrets
on:
workflow_dispatch:
jobs:
docker_build_push_acr:
name: 'GitHub Action to retreive secrets from Azure Key Vault and deploy example resource groups to Azure'
runs-on: ubuntu-18.04
environment: production
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v2
- uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: 'Get secrets'
id: azure-keyvault-secrets
run: |
secrets_get=(example1 example2)
for secret_get in ${secrets_get[@]}
do
value=$(az keyvault secret show --name $secret_get --vault-name tamopskvexample --query value --output tsv)
echo "::add-mask::$value"
echo "$secret_get=$value" >> $GITHUB_OUTPUT
done
- name: Create resource groups with secret values
run: |
az group Create --name ${{ steps.azure-keyvault-secrets.outputs.example1 }} --location uksouth
az group Create --name ${{ steps.azure-keyvault-secrets.outputs.example2 }} --location uksouth
Checking out the GitHub action, we can see the secrets are still hashed and not viewable:

Reviewing the Azure portal, two new Resource Groups have been created:

I did originally set out to use this action get-keyvault-secrets but it is now archived – Azure/get-keyvault-secrets@v1 but its now deprecated, if there is enough interest, I may actually move this blog post into a GitHub Action.
GitHub repository used to test found here
Full code examples here